That feels a bit anticlimactic next to all the noise Cisco made around its Application-Centric Infrastructure (ACI) earlier this year — but then again, ACI was undergoing its long-awaited launch at Cisco Live, whereas NSX has been shipping for more than a year. Rather than using its stage to snipe back at Cisco, it appears VMware will be emphasizing the broadening uses for NSX.

SPONSORED

Specifically, that means talking about using NSX’s microsegmentation as a vehicle for security. Some customers are attracted to NSX specifically for that reason as Gelsinger mentioned on VMware’s recent earnings call, and microsegmentation can also be one further argument that gets NSX’s foot in the door, says Chris King, a VMware vice president of product marketing.

“VMware is increasingly a relevant player in security without really having a security product,” King says.

Securing the East-West Network

With NSX, VMware says it can have security permeate the network, rather than just protect the outside. The latter strategy is common but leaves the network’s innards vulerable after a breach; an attacker that gets inside is free to roam the network. (The soft creamy center, as the now-famous candy bar metaphor goes).

Another way to say it is that firewalls are built to safeguard north-south traffic — packets moving into and out of a network perimeter. VMware wants to add security inside the perimeter, for east-west traffic patterns between virtual machines.

By segmenting the network, one could get around the squishy-insides problem, but it becomes more difficult to do in the face of virtualization, where the endpoints of a tunnel can move. A usual pattern is for traffic to “hairpin” into a firewall and go back out to the node it came from; what happens to that operation if the node’s IP address changes?

“It won’t stop every breach, but what it does is, it effectively compartmentalizes the network so that damage is limited,” King says.

VMware NSX Security – Distributed Firewalls, at Last

Essentially, this all adds up to NSX using virtual switches like a distributed firewall. This isn’t a new idea; what’s different is that NSX makes it operationally more feasible, VMware says. It wouldn’t be practical (or cheap) to do this with physical firewalls. And virtual firewalls have been considered unfit for this job because of performance limitations, but VMware claims it’s beaten that problem.

“The virtual-machine-based instances of those devices typically have an order or magnitude or two less performance. By virtue of being in the kernel, we pass that bar,” achieving firewall speeds of 20 Gb/s, King says.

VMware doesn’t expect to replace traditional firewalls. For times when an operator needs deeper inspection that gets into the nature of the application, a separate firewall such as Palo Alto Networks‘ would be necessary, King says. That was the purpose of the partnership announced in November — using Palo Alto Networks’ technology in virtual form to watch east-west traffic, with NSX deciding which packet flows go through that firewall.

VMware isn’t really announcing microsegmentation today so much as emphasizing it. The specific news around NSX involves release 6.1, being made generally available today. The release includes:

Provisioning and monitoring features added specifically to enhance microsegmentation and security

Easier connectivity to the hybrid cloud, so that service providers can bring tenants into an NSX framework without the customer having NSX on-premises

Craig Matsumoto is managing editor at SDxCentral.com, responsible for the site's content and for covering news. He is a "veteran" of the SDN scene, having started covering it way back in 2010, and his background in technology journalism goes back to 1994. Craig is based in Silicon Valley. He can be reached at craig@sdxcentral.com.

Win a $200 Amazon Gift Card

New Report: 2016 Cloud Automation and DevOps Report – What’s Next for Networking in the Cloud?

2016 Cloud Automation and DevOps Report: What’s Next for Networking in the Cloud? is available for free download. This FREE Report examines how cloud management, automation, and DevOps are likely to influence and integrate with networking and SDx technology in the future.

About SDxCentral

Engage With us

This material may not be copied, reproduced, or modified in whole or in part for any purpose except with express written permission from an authorized representative of SDNCentral, LLC. In addition to such written permission to copy, reproduce, or modify this document in whole or part, an acknowledgement of the authors of the document and all applicable portions of the copyright notice must be clearly referenced. All Rights Reserved.